本文不涉及session的timeout
在Forms Authentication里有两处涉及timeout:forms authentication ticket 与 forms authentication cookie
1. 设置 ticket 的 Expiration:
var ticket = new FormsAuthenticationTicket( 1, FormsAuthentication.FormsCookieName, DateTime.Now, DateTime.Now.AddMinutes(60),// Expiration true, user.UserName + "," + user.Password + "," + user.Domain + "," + loginGuid );
2. 设置cookie 的 Expires
HttpCookie cookie = FormsAuthentication.GetAuthCookie(userName, isPersistent); cookie.Expires = DateTime.Now.AddDays(14);
3. 在Web.config里设置cookie的timeout(对于不同版本的.NET Framework,此字段timeout含义不同,这里针对.NET Framework 4.0)
<forms cookieless="UseCookies" loginUrl="/Security/Login.svc/Login" name=".ASPXAUTH" requireSSL="true" timeout="60"></forms> <!--For timeout property, its default is 30 minutes-->
4. 在IIS里设置cookie的timeout
以下文字引自:http://support.microsoft.com/kb/910443
I will focus on these two aspects of Forms Authentication in this article to answer the following questions:
- What is forms authentication ticket and forms authentication cookie? How are they related?
- What is the role of a ticket in Forms Authentication?
- How are cookie expiration and ticket expiration related?
- How does sliding expiration work in the context of forms authentication ticket and forms authentication cookie?
- Where can the time-out property of the forms authentication cookie and forms authentication ticket be set?
- Issue scenario: The forms authentication may time out before the timeout attribute value that is set in the configuration file
What is forms authentication ticket and forms authentication cookie? How are they related?
Forms authentication cookie is nothing but the container for forms authentication ticket. The ticket is passed as the value of the forms authentication cookie with each request and is used by forms authentication, on the server, to identify an authenticated user.However, if we choose to use cookieless forms authentication, the ticket will be passed in the URL in an encrypted format. Cookieless forms authentication is used because sometimes the client browsers block cookies. This feature is introduced in the Microsoft .NET Framework 2.0.
For more information, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn2.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.cookieless.aspx
(http://msdn2.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.cookieless.aspx)
What is the role of a ticket in Forms Authentication?
The forms authentication ticket is used to tell the ASP.NET application who you are. Thus, ticket is building block of Forms Authentication's security.The ticket is encrypted and signed using the <machineKey> configuration element of the server's Machine.config file. ASP.NET 2.0 uses the decryptionKey and the new decryption attribute of the <machineKey> element to encrypt forms authentication tickets. The decryption attribute lets you specify the encryption algorithm to use. ASP.NET 1.1 and 1.0 use 3DES encryption, which is not configurable. Tampering with the ticket value is determined by a failure to decrypt the ticket on the server. As a result, the user will be redirected to the logon page.
If the application is deployed in a Web farm, you must make sure that the configuration files on each server share the same value for the validationKey and decryptionKey attributes in the <machineKey> tag, which are used for hashing and decryption of the ticket respectively. You must do this because you cannot guarantee which server will handle successive requests. For more information about FormsAuthenticationTicket encryption and Web farm deployment considerations, visit the following MSDN Web site:
http://msdn2.microsoft.com/en-us/library/ms998288.aspx
A walk through of methods to manually generate keys can be found in the following Microsoft Knowledge Base articles:
(http://msdn2.microsoft.com/en-us/library/ms998288.aspx)
312906
(http://support.microsoft.com/kb/312906/ )
How to create keys by using Visual C# .NET for use in Forms Authentication313091
Forms authentication tickets can be generated manually by using the FormsAuthenticationTicket class. For more information, visit the following MSDN Web site:
(http://support.microsoft.com/kb/313091/ )
How to create keys by using Visual Basic .NET for use in Forms Authenticationhttp://msdn2.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx
(http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx)
How are cookie expiration and ticket expiration related?
In case of non-persistent cookie, if the ticket is expired, cookie will also expire, and the user will be redirected to the logon page. On the other side, if the ticket is marked as persistent, where the cookie is stored on the client box, browsers can use the same authentication cookie to log on to the Web site any time. However, we can use the FormsAuthentication.SignOut method to delete persistent or non-persistent cookies explicitly.For more information about the FormsAuthentication.SignOutmethod, visit the following MSDN Web site:
http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx
With cookieless forms authentication, if the browser is closed, the ticket is lost and a new ticket will be generated on the next request.
(http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx)
How does sliding expiration work in the context of forms authentication ticket and forms authentication cookie?
Sliding expiration works exactly the same way!Let us take an example: If the logon page is accessed at 5:00 00:00:00 PM, it should expire at 5:10 00:00:00 PM if the timeout attribute is 10 and the slidingExpiration attribute is set to TRUE. Now, if any Web page is browsed again at 5:05 00:00:00 PM, the cookies and ticket time-out period will be reset to 5:15 00:00:00 PM.
Note If the Web page is accessed before half of the expiration time passes, the ticket expiration time will not be reset. Fore example, if any Web page is accessed again at 5:04 00:00:00 PM, the cookies and ticket timeout period will not be reset.
For more information, visit the following MSDN Web site:
http://msdn2.microsoft.com/en-us/library/1d3t3c61(vs.71).aspx
(http://msdn2.microsoft.com/en-us/library/1d3t3c61(vs.71).aspx)
Where can the time-out value of the forms authentication cookie and forms authentication ticket be set?
The only setting that you can make is in the Web.config file or the Machine.config file, in the <forms> tag. This change will determine the time-out period of forms authentication in the context of a ticket or cookie unless the ticket is generated manually.<!-- forms Attributes: name="[cookie name]" - Sets the name of the cookie used for Forms Authentication. loginUrl="[url]" - Sets the URL to redirect client to for authentication. protection="[All|None|Encryption|Validation]" - Sets the protection mode for data in cookie. timeout="[minutes]" - Sets the duration of time for cookie to be valid (reset on each request). path="/" - Sets the path for the cookie. requireSSL="[true|false]" - Should the forms authentication cookie be sent only over SSL? slidingExpiration="[true|false]" - Should the forms authentication cookie and ticket be reissued if they are about to expire? -->
http://msdn.microsoft.com/en-us/library/1d3t3c61(VS.100).aspx(http://msdn.microsoft.com/en-us/library/1d3t3c61(VS.100).aspx)
For more information about FormsAuthenticationTicketmembers, visit the following MSDN Web site:
http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthenticationticket_members.aspx
(http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthenticationticket_members.aspx)